| Nivel de riesgo | Number of Alerts |
|---|---|
|
Alto
|
0
|
|
Medio
|
8
|
|
Bajo
|
6
|
|
Informativo
|
3
|
|
False Positives:
|
0
|
| Nombre | Nivel de riesgo | Number of Instances |
|---|---|---|
| Application Error Disclosure | Medio | 1 |
| CSP: Wildcard Directive | Medio | 2 |
| CSP: script-src unsafe-inline | Medio | 1 |
| CSP: style-src unsafe-inline | Medio | 2 |
| Content Security Policy (CSP) Header Not Set | Medio | 9 |
| Desconfiguración de Dominio cruzado | Medio | 29 |
| Missing Anti-clickjacking Header | Medio | 4 |
| Session ID in URL Rewrite | Medio | 7 |
| Application Error Disclosure | Bajo | 1 |
| CSP: Notices | Bajo | 1 |
| Cookie with SameSite Attribute None | Bajo | 1 |
| Cross-Domain JavaScript Source File Inclusion | Bajo | 1 |
| Divulgación de la marca de hora - Unix | Bajo | 11159 |
| X-Content-Type-Options Header Missing | Bajo | 10 |
| Amplia gama de Cookies | Informativo | 4 |
| Divulgación de información - Comentarios sospechosos | Informativo | 61 |
| Re-examine Cache-control Directives | Informativo | 17 |
|
Medio |
Application Error Disclosure |
|---|---|
| Descripción |
This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
|
| URL | https://adquirencia.labdigbdbstgcb.com/vendor.js |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | Internal Server Error |
| Instances | 1 |
| Solution |
Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.
|
| Reference | |
| CWE Id | 200 |
| WASC Id | 13 |
| Plugin Id | 90022 |
|
Medio |
CSP: Wildcard Directive |
|---|---|
| Descripción |
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
|
| URL | https://adquirenciadigital.labdigbdbstgcb.com/ |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | default-src 'self' *.maxymiser.com *.maxymiser.net *.bluekai.com *.oracleinfinity.io tags.bkrtx.com tagmanager.google.com https://stats.g.doubleclick.net https://www.google.com https://www.google.com.co blob: https://checkip.amazonaws.com ; frame-ancestors https://*.bancodebogota.com https://*.bancodebogota.com.co https://*.bancodebogota.co https://*.labdigbdbqacb.com https://*.labdigbdbstgcb.com https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io; worker-src 'self'; connect-src 'self' https://stats.g.doubleclick.net https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io https://*.amazonaws.com https://tagmanager.google.com https://tags.bkrtx.com https://api.labdigbdbqacb.com https://api.labdigbdbstgcb.com https://apigateway.labdigitalbdbstaging.co https://api-staging.bancodebogota.co https://api-sbx.labdigbdbqacb.com https://api-sbx.labdigbdbstgcb.com api.labdigitalbdbstgcommons.co api.labdigitalbdbqacommons.co https://api-sbx.labdigitalbdbtvsqa.com https://wczvcnnh0k.execute-api.us-east-1.amazonaws.com https://ko39g42mf8.execute-api.us-east-1.amazonaws.com https://qpnjklwyxj.execute-api.us-east-1.amazonaws.com https://*.hotjar.io https://*.hotjar.com:* wss://*.hotjar.com https://cdn.appdynamics.com https://www.googletagmanager.com https://www.google-analytics.com https://col.eum-appdynamics.com https://api.ipify.org ; img-src 'self' data: https://*.gstatic.com https://www.google.com https://www.google.com.co https://*.bluekai.com https://*.hotjar.com https://*.hotjar.io https://ssl.gstatic.com https://www.google-analytics.com https://*.googleapis.com https://stats.g.doubleclick.net https://*.oracleinfinity.io ; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://www.google.com https://*.googleapis.com https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io https://tags.bkrtx.com https://*.hotjar.com https://*.hotjar.io https://connect.facebook.net https://tagmanager.google.com https://static.ads-twitter.com https://googleads.g.doubleclick.net https://www.googletagmanager.com https://cdn.appdynamics.com https://www.google-analytics.com https://www.gstatic.com https://adquirenciadigital.labdigbdbqacb.com https://adquirenciadigital.labdigbdbstgcb.com ; frame-src 'self' https://*.hotjar.com https://*.hotjar.io https://www.google.com https://*.bluekai.com https://cdn.appdynamics.com https://www.youtube.com ; font-src 'self' https://fonts.gstatic.com https://*.hotjar.com https://*.maxymiser.com https://s3.amazonaws.com ; style-src 'self' 'unsafe-inline' https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io https://cdnjs.cloudflare.com https://tags.bkrtx.com https://s3.amazonaws.com https://fonts.googleapis.com https://tagmanager.google.com |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/eventData |
| Método | POST |
| Parameter | |
| Atacar | |
| Evidence | default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests |
| Instances | 2 |
| Solution |
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
|
| Reference |
http://www.w3.org/TR/CSP2/
http://www.w3.org/TR/CSP/ http://caniuse.com/#search=content+security+policy http://content-security-policy.com/ https://github.com/shapesecurity/salvation https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10055 |
|
Medio |
CSP: script-src unsafe-inline |
|---|---|
| Descripción |
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
|
| URL | https://adquirenciadigital.labdigbdbstgcb.com/ |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | default-src 'self' *.maxymiser.com *.maxymiser.net *.bluekai.com *.oracleinfinity.io tags.bkrtx.com tagmanager.google.com https://stats.g.doubleclick.net https://www.google.com https://www.google.com.co blob: https://checkip.amazonaws.com ; frame-ancestors https://*.bancodebogota.com https://*.bancodebogota.com.co https://*.bancodebogota.co https://*.labdigbdbqacb.com https://*.labdigbdbstgcb.com https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io; worker-src 'self'; connect-src 'self' https://stats.g.doubleclick.net https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io https://*.amazonaws.com https://tagmanager.google.com https://tags.bkrtx.com https://api.labdigbdbqacb.com https://api.labdigbdbstgcb.com https://apigateway.labdigitalbdbstaging.co https://api-staging.bancodebogota.co https://api-sbx.labdigbdbqacb.com https://api-sbx.labdigbdbstgcb.com api.labdigitalbdbstgcommons.co api.labdigitalbdbqacommons.co https://api-sbx.labdigitalbdbtvsqa.com https://wczvcnnh0k.execute-api.us-east-1.amazonaws.com https://ko39g42mf8.execute-api.us-east-1.amazonaws.com https://qpnjklwyxj.execute-api.us-east-1.amazonaws.com https://*.hotjar.io https://*.hotjar.com:* wss://*.hotjar.com https://cdn.appdynamics.com https://www.googletagmanager.com https://www.google-analytics.com https://col.eum-appdynamics.com https://api.ipify.org ; img-src 'self' data: https://*.gstatic.com https://www.google.com https://www.google.com.co https://*.bluekai.com https://*.hotjar.com https://*.hotjar.io https://ssl.gstatic.com https://www.google-analytics.com https://*.googleapis.com https://stats.g.doubleclick.net https://*.oracleinfinity.io ; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://www.google.com https://*.googleapis.com https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io https://tags.bkrtx.com https://*.hotjar.com https://*.hotjar.io https://connect.facebook.net https://tagmanager.google.com https://static.ads-twitter.com https://googleads.g.doubleclick.net https://www.googletagmanager.com https://cdn.appdynamics.com https://www.google-analytics.com https://www.gstatic.com https://adquirenciadigital.labdigbdbqacb.com https://adquirenciadigital.labdigbdbstgcb.com ; frame-src 'self' https://*.hotjar.com https://*.hotjar.io https://www.google.com https://*.bluekai.com https://cdn.appdynamics.com https://www.youtube.com ; font-src 'self' https://fonts.gstatic.com https://*.hotjar.com https://*.maxymiser.com https://s3.amazonaws.com ; style-src 'self' 'unsafe-inline' https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io https://cdnjs.cloudflare.com https://tags.bkrtx.com https://s3.amazonaws.com https://fonts.googleapis.com https://tagmanager.google.com |
| Instances | 1 |
| Solution |
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
|
| Reference |
http://www.w3.org/TR/CSP2/
http://www.w3.org/TR/CSP/ http://caniuse.com/#search=content+security+policy http://content-security-policy.com/ https://github.com/shapesecurity/salvation https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10055 |
|
Medio |
CSP: style-src unsafe-inline |
|---|---|
| Descripción |
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
|
| URL | https://adquirenciadigital.labdigbdbstgcb.com/ |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | default-src 'self' *.maxymiser.com *.maxymiser.net *.bluekai.com *.oracleinfinity.io tags.bkrtx.com tagmanager.google.com https://stats.g.doubleclick.net https://www.google.com https://www.google.com.co blob: https://checkip.amazonaws.com ; frame-ancestors https://*.bancodebogota.com https://*.bancodebogota.com.co https://*.bancodebogota.co https://*.labdigbdbqacb.com https://*.labdigbdbstgcb.com https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io; worker-src 'self'; connect-src 'self' https://stats.g.doubleclick.net https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io https://*.amazonaws.com https://tagmanager.google.com https://tags.bkrtx.com https://api.labdigbdbqacb.com https://api.labdigbdbstgcb.com https://apigateway.labdigitalbdbstaging.co https://api-staging.bancodebogota.co https://api-sbx.labdigbdbqacb.com https://api-sbx.labdigbdbstgcb.com api.labdigitalbdbstgcommons.co api.labdigitalbdbqacommons.co https://api-sbx.labdigitalbdbtvsqa.com https://wczvcnnh0k.execute-api.us-east-1.amazonaws.com https://ko39g42mf8.execute-api.us-east-1.amazonaws.com https://qpnjklwyxj.execute-api.us-east-1.amazonaws.com https://*.hotjar.io https://*.hotjar.com:* wss://*.hotjar.com https://cdn.appdynamics.com https://www.googletagmanager.com https://www.google-analytics.com https://col.eum-appdynamics.com https://api.ipify.org ; img-src 'self' data: https://*.gstatic.com https://www.google.com https://www.google.com.co https://*.bluekai.com https://*.hotjar.com https://*.hotjar.io https://ssl.gstatic.com https://www.google-analytics.com https://*.googleapis.com https://stats.g.doubleclick.net https://*.oracleinfinity.io ; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://www.google.com https://*.googleapis.com https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io https://tags.bkrtx.com https://*.hotjar.com https://*.hotjar.io https://connect.facebook.net https://tagmanager.google.com https://static.ads-twitter.com https://googleads.g.doubleclick.net https://www.googletagmanager.com https://cdn.appdynamics.com https://www.google-analytics.com https://www.gstatic.com https://adquirenciadigital.labdigbdbqacb.com https://adquirenciadigital.labdigbdbstgcb.com ; frame-src 'self' https://*.hotjar.com https://*.hotjar.io https://www.google.com https://*.bluekai.com https://cdn.appdynamics.com https://www.youtube.com ; font-src 'self' https://fonts.gstatic.com https://*.hotjar.com https://*.maxymiser.com https://s3.amazonaws.com ; style-src 'self' 'unsafe-inline' https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io https://cdnjs.cloudflare.com https://tags.bkrtx.com https://s3.amazonaws.com https://fonts.googleapis.com https://tagmanager.google.com |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/eventData |
| Método | POST |
| Parameter | |
| Atacar | |
| Evidence | default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests |
| Instances | 2 |
| Solution |
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
|
| Reference |
http://www.w3.org/TR/CSP2/
http://www.w3.org/TR/CSP/ http://caniuse.com/#search=content+security+policy http://content-security-policy.com/ https://github.com/shapesecurity/salvation https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10055 |
|
Medio |
Desconfiguración de Dominio cruzado |
|---|---|
| Descripción |
Descargas de datos del navegador web podría ser posible, debido a una desconfiguración del intercambio de recursos cruzados de origen (CORS) en el servidor web
|
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/blacklist |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | access-control-allow-origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/openDbConnection |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | access-control-allow-origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/utm?uuid=9a3cfdf3-5387-47e5-8bdb-7cb9fe8205b8 |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | access-control-allow-origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/utm?uuid=d590139b-67e2-4967-99bb-3e6430b9db52 |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | access-control-allow-origin: * |
| URL | https://api-sbx.labdigitalbdbtvsstg.com/master-data-management-public/V1/Utilities/mdm/cities |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | access-control-allow-origin: * |
| URL | https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2 |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://script.hotjar.com/modules.5107f832d0ffac1bd5aa.js |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://script.hotjar.com/sentry.9d0a34fe0fb14b58e26b.js |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://service.maxymiser.net/api/us/adquirenciadigital.bancodebogota/ad6e57/mmapi.js |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://static.doubleclick.net/instream/ad_status.js |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://static.hotjar.com/c/hotjar-2357996.js?sv=6 |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://www.googletagmanager.com/gtag/js?id=G-3MHJRCD0ZW&l=dataLayer&cx=c |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://www.googletagmanager.com/gtm.js?id=GTM-KK8NFL9 |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/blacklist |
| Método | OPTIONS |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/customers |
| Método | OPTIONS |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/digitalRequest |
| Método | OPTIONS |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/eventData |
| Método | OPTIONS |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/openDbConnection |
| Método | OPTIONS |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/utm |
| Método | OPTIONS |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/utm?uuid=9a3cfdf3-5387-47e5-8bdb-7cb9fe8205b8 |
| Método | OPTIONS |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/utm?uuid=d590139b-67e2-4967-99bb-3e6430b9db52 |
| Método | OPTIONS |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://api-sbx.labdigitalbdbtvsstg.com/master-data-management-public/V1/Utilities/mdm/cities |
| Método | OPTIONS |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/customers |
| Método | POST |
| Parameter | |
| Atacar | |
| Evidence | access-control-allow-origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/digitalRequest |
| Método | POST |
| Parameter | |
| Atacar | |
| Evidence | access-control-allow-origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/eventData |
| Método | POST |
| Parameter | |
| Atacar | |
| Evidence | access-control-allow-origin: * |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/utm |
| Método | POST |
| Parameter | |
| Atacar | |
| Evidence | access-control-allow-origin: * |
| URL | https://in.hotjar.com/api/v2/client/sites/2357996/visit-data?sv=6 |
| Método | POST |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://ws24.hotjar.com/api/v2/sites/2357996/recordings/content |
| Método | POST |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| URL | https://ws9.hotjar.com/api/v2/sites/2357996/recordings/content |
| Método | POST |
| Parameter | |
| Atacar | |
| Evidence | Access-Control-Allow-Origin: * |
| Instances | 29 |
| Solution |
Asegúrese que los datos sensibles no están disponibles de manera no autenticada (usando dirección IP listado-blanco, por ejemplo). Configurar el encabezado HTTP ''''Access-Control-Allow-Origin" a un conjunto de dominios más restrictivo, o remover completamente todos los encabezados CORS, para permitir que el navegador web refuerce la política de mismo origen (SOP) en una manera mas restrictiva.
|
| Reference | https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy |
| CWE Id | 264 |
| WASC Id | 14 |
| Plugin Id | 10098 |
|
Medio |
Missing Anti-clickjacking Header |
|---|---|
| Descripción |
The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
|
| URL | https://adquirencia.labdigbdbstgcb.com/customer-type?uuid=9a3cfdf3-5387-47e5-8bdb-7cb9fe8205b8 |
| Método | GET |
| Parameter | X-Frame-Options |
| Atacar | |
| Evidence | |
| URL | https://adquirencia.labdigbdbstgcb.com/customer-type?uuid=d590139b-67e2-4967-99bb-3e6430b9db52 |
| Método | GET |
| Parameter | X-Frame-Options |
| Atacar | |
| Evidence | |
| URL | https://vars.hotjar.com/box-21ccaa45726c0f3c8c458f7a87eb2298.html |
| Método | GET |
| Parameter | X-Frame-Options |
| Atacar | |
| Evidence | |
| URL | https://www.youtube.com/embed/WPbRCJcVaac |
| Método | GET |
| Parameter | X-Frame-Options |
| Atacar | |
| Evidence | |
| Instances | 4 |
| Solution |
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
|
| Reference | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options |
| CWE Id | 1021 |
| WASC Id | 15 |
| Plugin Id | 10020 |
|
Bajo |
Application Error Disclosure |
|---|---|
| Descripción |
This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
|
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/customers |
| Método | POST |
| Parameter | |
| Atacar | |
| Evidence | HTTP/1.1 500 Internal Server Error |
| Instances | 1 |
| Solution |
Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.
|
| Reference | |
| CWE Id | 200 |
| WASC Id | 13 |
| Plugin Id | 90022 |
|
Bajo |
CSP: Notices |
|---|---|
| Descripción |
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
|
| URL | https://adquirenciadigital.labdigbdbstgcb.com/ |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | default-src 'self' *.maxymiser.com *.maxymiser.net *.bluekai.com *.oracleinfinity.io tags.bkrtx.com tagmanager.google.com https://stats.g.doubleclick.net https://www.google.com https://www.google.com.co blob: https://checkip.amazonaws.com ; frame-ancestors https://*.bancodebogota.com https://*.bancodebogota.com.co https://*.bancodebogota.co https://*.labdigbdbqacb.com https://*.labdigbdbstgcb.com https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io; worker-src 'self'; connect-src 'self' https://stats.g.doubleclick.net https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io https://*.amazonaws.com https://tagmanager.google.com https://tags.bkrtx.com https://api.labdigbdbqacb.com https://api.labdigbdbstgcb.com https://apigateway.labdigitalbdbstaging.co https://api-staging.bancodebogota.co https://api-sbx.labdigbdbqacb.com https://api-sbx.labdigbdbstgcb.com api.labdigitalbdbstgcommons.co api.labdigitalbdbqacommons.co https://api-sbx.labdigitalbdbtvsqa.com https://wczvcnnh0k.execute-api.us-east-1.amazonaws.com https://ko39g42mf8.execute-api.us-east-1.amazonaws.com https://qpnjklwyxj.execute-api.us-east-1.amazonaws.com https://*.hotjar.io https://*.hotjar.com:* wss://*.hotjar.com https://cdn.appdynamics.com https://www.googletagmanager.com https://www.google-analytics.com https://col.eum-appdynamics.com https://api.ipify.org ; img-src 'self' data: https://*.gstatic.com https://www.google.com https://www.google.com.co https://*.bluekai.com https://*.hotjar.com https://*.hotjar.io https://ssl.gstatic.com https://www.google-analytics.com https://*.googleapis.com https://stats.g.doubleclick.net https://*.oracleinfinity.io ; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://www.google.com https://*.googleapis.com https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io https://tags.bkrtx.com https://*.hotjar.com https://*.hotjar.io https://connect.facebook.net https://tagmanager.google.com https://static.ads-twitter.com https://googleads.g.doubleclick.net https://www.googletagmanager.com https://cdn.appdynamics.com https://www.google-analytics.com https://www.gstatic.com https://adquirenciadigital.labdigbdbqacb.com https://adquirenciadigital.labdigbdbstgcb.com ; frame-src 'self' https://*.hotjar.com https://*.hotjar.io https://www.google.com https://*.bluekai.com https://cdn.appdynamics.com https://www.youtube.com ; font-src 'self' https://fonts.gstatic.com https://*.hotjar.com https://*.maxymiser.com https://s3.amazonaws.com ; style-src 'self' 'unsafe-inline' https://*.maxymiser.com https://*.maxymiser.net https://*.bluekai.com https://*.oracleinfinity.io https://cdnjs.cloudflare.com https://tags.bkrtx.com https://s3.amazonaws.com https://fonts.googleapis.com https://tagmanager.google.com |
| Instances | 1 |
| Solution |
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
|
| Reference |
http://www.w3.org/TR/CSP2/
http://www.w3.org/TR/CSP/ http://caniuse.com/#search=content+security+policy http://content-security-policy.com/ https://github.com/shapesecurity/salvation https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10055 |
|
Bajo |
Cookie with SameSite Attribute None |
|---|---|
| Descripción |
A cookie has been set with its SameSite attribute set to "none", which means that the cookie can be sent as a result of a 'cross-site' request.
The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
|
| URL | https://www.youtube.com/embed/WPbRCJcVaac |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | |
| Instances | 1 |
| Solution |
Asegúrese que el atributo SameSite está establecido como 'lax' o idealmente 'strict' para todas las cookies.
|
| Reference | https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site |
| CWE Id | 1275 |
| WASC Id | 13 |
| Plugin Id | 10054 |
|
Bajo |
Cross-Domain JavaScript Source File Inclusion |
|---|---|
| Descripción |
The page includes one or more script files from a third-party domain.
|
| URL | https://adquirenciadigital.labdigbdbstgcb.com/ |
| Método | GET |
| Parameter | //service.maxymiser.net/api/us/adquirenciadigital.bancodebogota/ad6e57/mmapi.js |
| Atacar | |
| Evidence | <script type='text/javascript' src='//service.maxymiser.net/api/us/adquirenciadigital.bancodebogota/ad6e57/mmapi.js'></script> |
| Instances | 1 |
| Solution |
Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.
|
| Reference | |
| CWE Id | 829 |
| WASC Id | 15 |
| Plugin Id | 10017 |
|
Bajo |
X-Content-Type-Options Header Missing |
|---|---|
| Descripción |
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
|
| URL | https://adquirencia.labdigbdbstgcb.com/customer-type?uuid=9a3cfdf3-5387-47e5-8bdb-7cb9fe8205b8 |
| Método | GET |
| Parameter | X-Content-Type-Options |
| Atacar | |
| Evidence | |
| URL | https://adquirencia.labdigbdbstgcb.com/customer-type?uuid=d590139b-67e2-4967-99bb-3e6430b9db52 |
| Método | GET |
| Parameter | X-Content-Type-Options |
| Atacar | |
| Evidence | |
| URL | https://api-sbx.labdigitalbdbtvsstg.com/master-data-management-public/V1/Utilities/mdm/cities |
| Método | GET |
| Parameter | X-Content-Type-Options |
| Atacar | |
| Evidence | |
| URL | https://service.maxymiser.net/api/us/adquirenciadigital.bancodebogota/ad6e57/mmapi.js |
| Método | GET |
| Parameter | X-Content-Type-Options |
| Atacar | |
| Evidence | |
| URL | https://vars.hotjar.com/box-21ccaa45726c0f3c8c458f7a87eb2298.html |
| Método | GET |
| Parameter | X-Content-Type-Options |
| Atacar | |
| Evidence | |
| URL | https://www.googletagmanager.com/gtag/js?id=G-3MHJRCD0ZW&l=dataLayer&cx=c |
| Método | GET |
| Parameter | X-Content-Type-Options |
| Atacar | |
| Evidence | |
| URL | https://www.googletagmanager.com/gtm.js?id=GTM-KK8NFL9 |
| Método | GET |
| Parameter | X-Content-Type-Options |
| Atacar | |
| Evidence | |
| URL | https://in.hotjar.com/api/v2/client/sites/2357996/visit-data?sv=6 |
| Método | POST |
| Parameter | X-Content-Type-Options |
| Atacar | |
| Evidence | |
| URL | https://ws24.hotjar.com/api/v2/sites/2357996/recordings/content |
| Método | POST |
| Parameter | X-Content-Type-Options |
| Atacar | |
| Evidence | |
| URL | https://ws9.hotjar.com/api/v2/sites/2357996/recordings/content |
| Método | POST |
| Parameter | X-Content-Type-Options |
| Atacar | |
| Evidence | |
| Instances | 10 |
| Solution |
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
|
| Reference |
http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
https://owasp.org/www-community/Security_Headers |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10021 |
|
Informativo |
Amplia gama de Cookies |
|---|---|
| Descripción |
Las Cookies pueden ser delimitadas por dominio o ruta. Esta comprobación solo se considera con ámbito de dominio. El ámbito de dominio aplicado a una cookie determina cuales dominios lo pueden acceder. Por ejemplo, una cookie puede ser delimitada estrictamente a un subdominio por ejemplo, www.nottrusted.com, o libremente delimitada a un dominio padre por ejemplo, nottrusted.com. En el último caso, cualquier subdominio de nottrusted.com puede acceder a la cookie. Las cookies libremente delimitadas son comunes en mega-aplicaciones como google.com y live.com. las cookies establecidas desde un subdominio como app.foo.bar son transmitidas solo al dominio del navegador. Sin embargo, las cookies delimitadas a un dominio de nivel de padre podría ser transmitida al padre, o cualquier subdominio del padre.
|
| URL | https://www.youtube.com/embed/WPbRCJcVaac |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | |
| URL | https://www.youtube.com/embed/WPbRCJcVaac |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | |
| URL | https://www.youtube.com/embed/WPbRCJcVaac |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | |
| URL | https://www.youtube.com/embed/WPbRCJcVaac |
| Método | GET |
| Parameter | |
| Atacar | |
| Evidence | |
| Instances | 4 |
| Solution |
Siempre delimitar las cookies a FQDN (Nombre de Dominio Completamente Calificado).
|
| Reference |
https://tools.ietf.org/html/rfc6265#section-4.1
https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies |
| CWE Id | 565 |
| WASC Id | 15 |
| Plugin Id | 90033 |
|
Informativo |
Re-examine Cache-control Directives |
|---|---|
| Descripción |
The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
|
| URL | https://adquirencia.labdigbdbstgcb.com/customer-type?uuid=9a3cfdf3-5387-47e5-8bdb-7cb9fe8205b8 |
| Método | GET |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | |
| URL | https://adquirencia.labdigbdbstgcb.com/customer-type?uuid=d590139b-67e2-4967-99bb-3e6430b9db52 |
| Método | GET |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | |
| URL | https://adquirenciadigital.labdigbdbstgcb.com/ |
| Método | GET |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/blacklist |
| Método | GET |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/openDbConnection |
| Método | GET |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/utm?uuid=9a3cfdf3-5387-47e5-8bdb-7cb9fe8205b8 |
| Método | GET |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/utm?uuid=d590139b-67e2-4967-99bb-3e6430b9db52 |
| Método | GET |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | |
| URL | https://api-sbx.labdigitalbdbtvsstg.com/master-data-management-public/V1/Utilities/mdm/cities |
| Método | GET |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | |
| URL | https://vars.hotjar.com/box-21ccaa45726c0f3c8c458f7a87eb2298.html |
| Método | GET |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | max-age=31536000 |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/digitalRequest |
| Método | POST |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | |
| URL | https://api-sbx.labdigbdbstgcb.com/acquire/V1/Product/eventData |
| Método | POST |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | |
| URL | https://in.hotjar.com/api/v2/client/sites/2357996/visit-data?sv=6 |
| Método | POST |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | no-cache, no-store |
| URL | https://jnn-pa.googleapis.com/$rpc/google.internal.waa.v1.Waa/Create |
| Método | POST |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | private |
| URL | https://jnn-pa.googleapis.com/$rpc/google.internal.waa.v1.Waa/GenerateIT |
| Método | POST |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | private |
| URL | https://ws24.hotjar.com/api/v2/sites/2357996/recordings/content |
| Método | POST |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | no-cache, no-store |
| URL | https://ws9.hotjar.com/api/v2/sites/2357996/recordings/content |
| Método | POST |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | no-cache, no-store |
| URL | https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8 |
| Método | POST |
| Parameter | Cache-Control |
| Atacar | |
| Evidence | |
| Instances | 17 |
| Solution |
Whenever possible ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".
|
| Reference |
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control |
| CWE Id | 525 |
| WASC Id | 13 |
| Plugin Id | 10015 |